Microsoft Windows

North Korean hackers exploit Windows zero-day flaw

North Korean hackers exploited a previously unknown vulnerability in a Windows security feature, allowing them to gain the highest level of access to targeted systems.

A zero-day flaw in AppLocker — a service that helps administrators control which applications are allowed to run on a system — was discovered by researchers at the Czech cybersecurity firm Avast and patched by Microsoft earlier this month.

By exploiting this bug, tracked as CVE-2024-21338, hackers with administrative privileges could escalate their access to the kernel level — the highest level of access in the operating system, reserved for performing critical system functions.

“With kernel-level access, an attacker might disrupt security software, conceal indicators of infection, turn off mitigations, and more,” Avast said.

To carry out malicious activities within the victim’s system, hackers believed to be a part of North Korea’s infamous Lazarus group used the FudModule rootkit — a type of malware designed to provide unauthorized access to a computer while concealing its presence.

Researchers said that the hackers improved the rootkit's functionality, making it stealthier. Some of the malware techniques, for example, were designed to evade detection and disable security protections, including Windows Defender, CrowdStrike Falcon and HitmanPro.

Avast said that the FudModule rootkit is “one of the most complex tools Lazarus holds in their arsenal.” Recent updates to the malware also show Lazarus’ commitment to keep actively developing the rootkit, researchers said.

The report does not mention which organizations were targeted in the latest Lazarus campaign or how successful it was.

Lazarus remains among “the most prolific and long-standing” advanced hacker groups, according to Avast. “Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” researchers said.

Earlier this week, Japanese researchers discovered that Lazarus targeted software developers with malicious open-source software packages uploaded to a repository used by the Python community. The malicious packages were downloaded hundreds of times, according to researchers.

Earlier in February, Germany and South Korea's intelligence agencies issued a joint advisory, warning of an ongoing North Korean cyber-espionage operation targeting the global defense sector. Lazarus was among the threat actors mentioned in the advisory. The report emphasized that the techniques used by the group to target the defense sector were similar to those employed in attacks against cryptocurrency firms and software developers.

Lazarus was also targeting the judicial system in South Korea. In February, South Korean police confiscated servers from the country's Supreme Court that were allegedly hacked by Lazarus last year. The servers are still under investigation.

According to the latest report by crypto analytics firm Chainalysis, North Korean hackers, including Lazarus, hacked more crypto platforms than ever last year, with the number of stolen assets reaching $1 billion.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.